About 2PM EST yesterday 13-Sep-2016, the server started showing a lot of these type of messages in the log where the from= and to= were the same as below (I've hidden the domain name). The filtering I have in place took care of most of the hits, and fail2ban did the rest.

I ended up with a bit more than 1500 IPs banned in 24 hours. I ran the following grep on the mail log to get a list of IPs that were participating, and was surprised to get more than 15000 IPs. Someone has a very large SPAM operation.

None of the 300+ customers (probably closer to 500, but I don't know how many are actively being used like the postmaster or webmaster accounts etc), or 50+ other domains complained about not being able to get email. The only thing that alerted me to a problems was the following logwatch entry below that I have never seen. I actually thought I might have done something accidentally.

--------------------- Postfix Begin ------------------------

2 *Warning: Process limit reached, clients may delay

Yes, I checked, and my process limit is still set at 100.

Note this log entry was at about the 2/3 point of the attack. I'm not sure what tomorrows log will show, but I'll post if it's interesting.

Now I have a list of IPs that were part of the attack, any ideas what to do with them? I'm thinking of feeding them to iptables for a week or so, but I doubt it would do much good.

Re: Got hit by a dictionary attack - iRedMail survived fine.

Spammers like this usually tried from lots of different IPs to avoid been banned.

The most important point is always forcing your end users to use a strong password. Fail2ban helps a lot in this case, but as you can see, spammer has lots of IP addresses to try to crack your password, so the final step is user's strong password.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?